b'July 29, 2010\n\nMICHAEL J. AMATO\nMANAGER, ENGINEERING SOFTWARE MANAGEMENT\n\nSUBJECT: Audit Report \xe2\x80\x93 Access Controls Over the Electronic Data\n         Distribution Infrastructure (Report Number IS-AR-10-011)\n\nThis report presents the results of our audit of the Electronic Data Distribution\nInfrastructure (EDDI) (Project Number 10RG016IT000). Our objective was to determine\nwhether EDDI access controls are effective. We performed the audit to supplement a\nU.S. Postal Service Office of Inspector General (OIG) investigation associated with\nalleged unauthorized access to and modification of EDDI servers and files. This audit\naddresses operational risk. See Appendix A for additional details about this audit.\n\nEDDI servers \xe2\x80\x93 essentially workstations that share files \xe2\x80\x93 facilitate the automated\ndelivery of address data, mail sort programs, and application software updates required\nto maintain current mail processing and handling equipment nationwide. Infrastructure\naccess controls help prevent unauthorized modification to, or unavailability of, the data\nor systems that provide the Postal Service with the capability to deliver mail efficiently.\n\nConclusion\n\nEDDI access controls are not effective. Management can improve preventive access\ncontrols and preserve the U.S. Postal Service brand by xxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxx.\n\nAccess Controls\n\nXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nXx\n\nAdministrators did xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxbut rather, relied on automated\nscripts1 to gather xxxxxxxxxxxxxxx2 only, which they believed to be an adequate\n\n1\n    A script is a list of commands executed to automate processes on a computer.\n2\n    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n\x0cAccess Controls Over the Electronic Data                                                              IS-AR-10-011\n Distribution Infrastructure\n\n\ncontrol. Comprehensive xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. Additionally,\nadministrators did not xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nbecause management did not emphasize information security policy. Moreover,\nadministrators did not obtain formal approval through eAccess3 to utilize shared user\naccounts because they were not aware of the requirement.4\n\nxxxxxxx mitigates the risk of unauthorized access or undetected malicious activity\noccurring on the EDDI servers that might render the data or servers unavailable, which\nwould affect the Postal Service\xe2\x80\x99s ability to deliver mail efficiently. xxxxxxx also enables\nforensic analysis in the event of a compromise; thus, improving the probability the\nPostal Service can identify the cause of any unauthorized activity that poses a threat to\nmail processing operations. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxunap\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx makes it difficult for administrators to identify\nindividuals who perform unauthorized modifications to servers or its data. See Appendix\nB for our detailed analysis of this topic.\n\nWe recommend the manager, Engineering Software Management, direct the manager,\nSoftware Development, to:\n\n1. Enable xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx on\n   Electronic Data Distribution Infrastructure servers.\n\n2. Manage xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx according to Handbook\n   AS-805, Information Security, requirements.\n\n3. Obtain approval through eAccess to use shared user accounts within the Electronic\n   Data Distribution Infrastructure environment.\n\nManagement\xe2\x80\x99s Comments\n\nManagement agreed with the recommendations. In response to recommendation 1,\nmanagement will implement xxxxxxxxxxxxxxxxxxxxxxx on all EDDI servers.\nManagement stated that while they agree to implement recommendation 1, they believe\nthat xxxxxxx does not mitigate the xxxxxxxxxxxxxxxxxxxxxxxxx or undetected malicious\nactivity. To address recommendation 2, management will create individual user\naccounts for all EDDI support personnel and set password expiration dates to 45 days.\nAdditionally, in response to recommendation 3, management will eliminate xxxxxxxx\nxxxxxxxxxxxx on the EDDI servers.\n\n\n3\n    The Postal Service implemented the eAccess application to manage access to its information resources.\n4\n    Handbook AS-805, Information Security, dated November 2009, Section 9-4.2.4, Shared Accounts.\n\n\n\n\n                                                          2\n\x0cAccess Controls Over the Electronic Data                                    IS-AR-10-011\n Distribution Infrastructure\n\n\nThe target completion date for all three recommendations is October 2010. See\nAppendix C for management\xe2\x80\x99s comments in their entirety.\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nThe OIG considers management\xe2\x80\x99s comments responsive to the recommendations and\nmanagement\xe2\x80\x99s corrective actions should resolve the issues identified in the report.\nRegarding recommendation 1, we believe that while xxxxxxxxxxxx may not mitigate the\nrisk xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx or\nmalicious activity so that appropriate actions can be taken to mitigate future\noccurrences.\n\nThe OIG considers all recommendations significant, and therefore requires OIG\nconcurrence before closure. Consequently, the OIG requests written confirmation when\ncorrective actions are completed. These recommendations should not be closed in the\nPostal Service\xe2\x80\x99s follow-up tracking system until the OIG provides written confirmation\nthat the recommendations can be closed.\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Frances E. Cain, director,\nInformation Technology, or me at 703-248-2100.\n\n\n    E-Signed by Darrell E. Benjamin, Jr\n    VERIFY authenticity with ApproveIt\n\nDarrell E. Benjamin, Jr.\nDeputy Assistant Inspector General\n for Revenue and Systems\n\nAttachments\n\ncc: Steven J. Forte\n    Kelly M. Sigmon\n    Shahpour Ashaari\n    Corporate Audit Response Management\n\n\n\n\n                                           3\n\x0cAccess Controls Over the Electronic Data                                                          IS-AR-10-011\n Distribution Infrastructure\n\n\n\n                          APPENDIX A: ADDITIONAL INFORMATION\n\nBACKGROUND\n\nEDDI is an Information Technology (IT) infrastructure managed by the Engineering\nSoftware Management group in xxxxxxxxxxxx. The infrastructure consists of over xxx\nstand-alone servers that that receive data via xxxxxxx and transfer the data to xxxxxx\nxxxxxxxxxxxxxxxxxxxxxx5 which interface with mail processing and handling equipment.\nThe EDDI servers \xe2\x80\x93 essentially workstations that share files \xe2\x80\x93 facilitate the automated\ndelivery of address data, mail sort programs, and application software updates required\nto maintain current mail processing and handling equipment nationwide. Access\ncontrols to the infrastructure help prevent unauthorized modification to or unavailability\nof the data or systems and maintain the Postal Service\xe2\x80\x99s capability to deliver mail\nefficiently.\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nOur objective was to determine whether EDDI access controls are effective. To achieve\nour objective, we interviewed key officials and reviewed applicable Postal Service\npolicy, standards, and procedures. We limited our review to access and xxxxxxxxxxx\ncontrols on xxx EDDI servers using custom scripts and automated industry-accepted\nsoftware tools.\n\nWe conducted this performance audit from March through July 2010 in accordance with\ngenerally accepted government auditing standards and included such tests of internal\ncontrols, as we considered necessary under the circumstances. Those standards\nrequire that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit\nobjective. We believe that the evidence obtained provides a reasonable basis for our\nfindings and conclusion based on our audit objective. In addition, we used manual and\nautomated techniques to analyze computer-processed data and concluded the data\nwere sufficiently reliable to meet the report objective. We discussed our observations\nand conclusions with management officials on June 30, 2010, and included their\ncomments where appropriate.\n\nPRIOR AUDIT COVERAGE\n\nThe OIG did not identify any prior audits or reviews related to the objective of this audit.\n\n\n\n\n5\n xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx servers connect to automated mail processing systems and enable file transfers,\ndirectory downloads, and terminal connections.\n\n\n\n\n                                                       4\n\x0cAccess Controls Over the Electronic Data                                          IS-AR-10-011\n Distribution Infrastructure\n\n\n                                   APPENDIX B: DETAILED ANALYSIS\n\nAccess Controls\n\nWe assessed xxx EDDI servers and identified that administrators did not:\n\n    \xef\x82\xa7    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n         xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n\n    \xef\x82\xa7    Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n         xxxxxxxxxxxxxxxxxxxxxxxxx.\n\n    \xef\x82\xa7    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n\n    \xef\x82\xa7    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n         xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n         xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n\n    \xef\x82\xa7    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n\nInformation security policy requires that:\n\n    \xef\x82\xa7    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.6\n\n    \xef\x82\xa7    Personnel authenticate7 to information resources before performing any other\n         action. One method of authentication is to require passwords.8\n\n    \xef\x82\xa7    Passwords for privileged or sensitive accounts expire at least every 30 days and\n         passwords for all other accounts expire at least every 90 days. Management\n         must make a request, in writing, to the manager, Corporate Information Security,\n         for use of non-expiring passwords and document their use in eAccess.9\n\n    \xef\x82\xa7    Management delete logon identifications for user accounts not used within\n         1 year.10\n\n    \xef\x82\xa7    Management obtain approval to utilize shared user accounts via eAccess.11\n\n\n\n\n6\n  Handbook AS-805, xxxxxxxxxxxxxxxxxxxxx.\n7\n  Authentication verifies the claimed identity of an individual or workstation.\n8\n  Handbook AS-805, Section 9-6, Authentication.\n9\n  Handbook AS-805, Section 9-6.1, Passwords.\n10\n   Handbook AS-805, Section 9-5.5, Terminating Logon Identification.\n11\n   Handbook AS-805, Section 9-4.2.4, Shared Accounts.\n\n\n\n\n                                                             5\n\x0cAccess Controls Over the Electronic Data                    IS-AR-10-011\n Distribution Infrastructure\n\n\n\n                        APPENDIX C: MANAGEMENT\xe2\x80\x99S COMMENTS\n\n\n\n\n                                           6\n\x0cAccess Controls Over the Electronic Data       IS-AR-10-011\n Distribution Infrastructure\n\n\n\n\n                                           7\n\x0c'